Risk Of Losing Bitcoins Through Seed Creation

[Pmalek]

I always find it amusing just how many threads we see popping up along these lines, of people wondering "What if someone guesses my seed phrase" or "What if someone generates the same private key as me".

I don't mind if someone inquires and even questions the security of the network unless I can feel a malicious tone or agenda. With OP, I am not feeling one. His first sentence might be leaning in that direction, but I still look at it as someone asking how possible is a scenario where a user keeps creating new Electrum seeds and wallets until he finds a collision.

It would have been much worse if he had claimed that Bitcoin/Electrum is unsafe because it's easy to find someone else's seed, and he supported his claims with false data, stats, etc. Here, it still seems like OP is looking for some clarification.   

[PrimeNumber7]

Say for example, I have a seed of:

Code:

eager assist dutch group deny wealth gown disorder goddess inmate same scrap

The first five addresses I would generate would be:

Code:

path, address
m/84'/0'/14'/4/0,bc1qx3kaxwcuxzsu2ur94453nvfglp8eka9a5fqwpj
m/84'/0'/14'/4/1,bc1q6dmxds943wd8u7r7enr2uyfffgcrfn78gsx7sj
m/84'/0'/14'/4/2,bc1q7v8x5980vvfpx96zp6y2j4jhn8jn2hmuyp90dy
m/84'/0'/14'/4/3,bc1q48935lt9v8ghqmpfmycrpwp0a7wk3jt5tf7mx6
m/84'/0'/14'/4/4,bc1qfvs9arztcgzj7tp8krrw8nq85gfte92cld8u98

You can get a high-level overview of how the above addresses are created by looking at this post from Greg Maxwell in 2011.

At a high level, when you "generate" an address in electrum, you are passing a derivative of your seed, and additional data into a hash function, the output of which is the private key of your "generated" address. The additional data passed through the hash function changes in a predictable way, such that it is trivial to calculate the "additional data" based on the number of addresses already generated.

Generating one additional address via electrum, is the same as generating one additional private key. I refer you to the image previously posted by bitmover. If you were to continue generating addresses with your seed, you would eventually generate every potential private key. However, it is not possible to generate every private key because the sun does not contain enough energy.

[ps1234]

Thanks to all for the illuminating comments.

I'll shut up and stop worrying about theoretical issues and I'll follow o_e_l_e_o's advice:
The weakest part of bitcoin is almost always the user. Rather than worrying about the impossible (someone breaking 128 bits of security), worry about all the other ways you are risking your coins instead.

[o_e_l_e_o]

The first five addresses I would generate would be:

Except Electrum would never use those derivation paths, since if you are following BIP44, the change value will only ever be 0 for external chain or 1 for internal chain, and never 4. Since Electrum automatically adds /0/x on to the end of your specified derivation path for receiving addresses and /1/x for change addresses, then the closest you could come would be to specify m/84'/0'/14'/4, which would give your first address at m/84'/0'/14'/4/0/0 - bc1qgz9qy5wnj2a5wq2gd5yu4ld5ud6l364flxzjzz.

You could obviously still derive those addresses externally if you wanted and import the private keys individually in to Electrum, but they do not follow the BIP44 standard.

[PrimeNumber7]

The first five addresses I would generate would be:

Except Electrum would never use those derivation paths, since if you are following BIP44, the change value will only ever be 0 for external chain or 1 for internal chain, and never 4. Since Electrum automatically adds /0/x on to the end of your specified derivation path for receiving addresses and /1/x for change addresses, then the closest you could come would be to specify m/84'/0'/14'/4, which would give your first address at m/84'/0'/14'/4/0/0 - bc1qgz9qy5wnj2a5wq2gd5yu4ld5ud6l364flxzjzz.

You could obviously still derive those addresses externally if you wanted and import the private keys individually in to Electrum, but they do not follow the BIP44 standard.

Electrum is open source, and as such, you could change the default derivation paths routes for the change index. So you would specify /84'/0'/14' as the derivation path after changing the index for receiving/change addresses. While the implementation may be non-standard, the resulting addresses are standard, as are any transactions sent from those addresses (all else being normal).

The point of my post was that given a high enough index range, such as m/84'/0'/14'/0 through m/84'/0'/14'/2^256 you will have collisions with address that other people have generated, however it is not possible to generate that many addresses.

[o_e_l_e_o]

The point of my post was that given a high enough index range, such as m/84'/0'/14'/0 through m/84'/0'/14'/2^256 you will have collisions with address that other people have generated, however it is not possible to generate that many addresses.

You cannot have an index of 2²⁵⁶, as the limit for each index is 2³². 0 through 2³¹ - 1 is used for unhardened indices, and 2³¹ through 2³² - 1 is used for hardened indices. Using the ' symbol to denote a hardened index is essentially code for whatever number you pick plus 2³¹.

You can, however, have up to 255 additional levels to your derivation path beyond m, which means that theoretically any seed phrase can produce a maximum of (2³²)²⁵⁵ private keys, which is a number many orders of magnitude larger than the number of possible private keys.

[HCP]

My paranoid thought experiment relies on the fact that the words for the Electrum passphrase are fixed and known.

This is quite a common concern for a lot of people who don't understand the sheer vastness of the "keyspace" being generated by this "fixed and known" list.

People will quite happily secure their online banking or whatever with a 10-12 character password... if you use UPPERCASE + lowercase + numbers... that's 26+26+10 = 62 possible characters... then we can throw in the 33 ASCII printable "symbol" characters like ~!@#$%^&*()_+ etc... and all up it would be 62+33 = 95 characters in your "fixed and known list".

So, a 12 character password using this list would be: 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 = 540360087662636962890625 possibilities.

The 2048 word list that Electrum uses means that your "alphabet" has 2048 characters... so that means your 12 word seed is effectively a "12 character password where the alphabet has 2048 characters" in it. Giving up this many different seeds: 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 * 2048 = 5444517870735015415413993718908291383296 possibilities...

Code:

540360087662636962890625
vs
5444517870735015415413993718908291383296

monospaced to illustrate the difference in length of the 2 numbers.

If you're not worried about someone hacking your 12 character password, you don't need to be worried about someone hacking your 12 word seed.